Splunk SIEM with Splunk Enterprise, Cloud, and Splunk ES

What Is Splunk SIEM?

Splunk is a big data solution that provides security information and event management (SIEM) capabilities. You can use one of three Splunk solutions to set up a SIEM:

  • Splunk Enterprise—enables basic SIEM capabilities in an on-premises deployment model.
  • Splunk Cloud—enables basic SIEM capabilities in a cloud deployment model.
  • Splunk Enterprise Security (ES)—can be deployed both on Splunk Enterprise and Splunk Cloud, enables advanced SIEM use cases.

Either of these solutions allow you to collect, analyze, and correlate massive amounts of network and machine data in real time. Managed through a web browser, Splunk provides security teams relevant, actionable intelligence to effectively respond to threats and manage security processes.

Using Splunk as Your SIEM

Splunk security solutions meet the basic requirements of SIEM systems, and in addition, provide security analytics that offer context and visual insight into security incidents.

Splunk offers on-premises, cloud, or hybrid deployment options for businesses looking to deploy a new SIEM or migrate from an existing SIEM system.

Using Splunk Enterprise and Splunk Cloud as a SIEM

You can leverage both Splunk Enterprise and Splunk Cloud to solve for basic SIEM use cases. The core Splunk platform is a mature big data security intelligence platform that supports ingestion, indexing, search, and reporting. Many Splunk customers use Splunk Enterprise or Splunk Cloud to build their own real-time correlated searches and dashboards for security event management.

Building your SIEM based on Splunk infrastructure allows you to:

  • Support a Security Operations Center (SOC) of any size.

  • Enable tasks such as security posture assessment, monitoring, alert and incident handling, CSIRT, breach analysis and response, and incident correlation.

  • Detect known and unknown threats, investigate threats, evaluate compliance, and gain insights using advanced security analytics.

  • Perform advanced breach analysis using ad-hoc searches.

  • Access detection and security research content for major cloud providers.

Related content: Read our guide to Splunk security solutions.

Using Splunk Enterprise Security (ES)

Splunk ES is an advanced solution that supports advanced SIEM use cases out of the box. Splunk ES runs on Splunk Enterprise, Splunk Cloud, or both. Its main security features include:

  • Dashboards, search, and reporting capabilities suited for security use cases.

  • Pre-built correlation rules and alerts.

  • Incident reviews and security workflow management.

  • Integration with third-party threat intelligence feeds.

  • General-purpose security frameworks to support compliance, application security, incident management, advanced threat detection, and real-time monitoring.

  • Analytics-driven security combining machine learning, anomaly detection, and standards-based correlation.

  • Visual correlation of events over time, enabling security teams to immediately see the details of a multi-stage attack.

  • Adding business context to alerts to enable detection, monitoring, and reporting on threats in real time.


In addition, there are over 300 apps available on Splunkbase with pre-built search, reporting, and visualization for third-party security vendors. These out-of-the-box applications, utilities, and plug-ins address specific use cases such as:

  • Security monitoring

  • Next-generation firewall (NGFW)

  • Advanced threat management

You can also leverage support from the Splunk Security Research Team, who can help address new and advanced threats within the Splunk platform.

Related content: Read our guide to Splunk Enterprise Security.

Other Splunk Solutions Supporting SIEM Use Cases

Splunk provides several other solutions that can help you set up an effective SIEM:

  • Splunk Mission Control is a solution that powers and enhances the capabilities of Splunk ES. It lets you detect, manage, investigate, track, contain, and remediate threats and high-priority security issues throughout the incident lifecycle. Splunk ES combined with Splunk Mission Control enable better SOC management, efficient investigations, and streamlined processes.

  • Splunk User Behavior Analytics provides advanced user behavioral analytics (UBA) capabilities to analyze the behavior of entities on the network, identify anomalies and alert security teams when anomalies appear to be malicious.

  • Splunk SOAR (formerly known as Splunk Phantom) enables automatically identifying incidents and executing security playbooks to contain and mitigate the threat. It can integrate with and orchestrate response via your existing security tools.

Related content: Read our guide to Splunk Phantom (Splunk SOAR).

Splunk SIEM: Strengths and Challenges

Here are key strengths of Splunk as a SIEM solution:

  • Core SOC tools to support existing security investments—Splunk SIEM is suitable for organizations requiring a core platform that integrates with UEBA, SOAR, and other existing solutions.

  • Out-of-the-box integrations—Splunk accommodates organizations requiring integrations and support for third-party tools through Splunkbase apps, APIs, the Mission Control plugin framework, and Splunk SOAR.

  • Multiple pricing models—Splunk has expanded its licensing model to give buyers options beyond data-volume-based pricing. New options include workload-based pricing (using local vCPUs and Splunk Cloud virtual compute units) and a tiered pricing model available to private sector buyers.

  • Mature, well-known solution—Splunk has high visibility and a large installed base among large organizations in North America and Europe, and is gaining visibility in other regions.


Using Splunk as a SIEM solution also presents some challenges, as reported in the Gartner SIEM Magic Quadrant report:

  • Pricing and contract flexibility—Splunk’s pricing and contract flexibility is lower than many of its competitors in the SIEM space.

  • Cloud-native security operations—the Splunk ES solution is available on Splunk Cloud, but not all of Splunk’s security solutions are delivered in a cloud model. For example, Splunk UBA and Splunk SOAR are currently offered in a hosting model only in selected regions. However, Mission Control can provide a single UI for all three solutions, whether deployed on-premises or in the cloud.

  • Geographical support—Splunk Cloud provides points of presence (PoPs) in North America, Europe, and Asia Pacific. Organizations operating in other regions need to consider data residency and latency issues.

Splunk SIEM Pricing

Splunk SIEM has the following pricing options:

Workload Pricing

Workload pricing matches your Splunk investments with how you produce insights from your data. The main factor in this pricing model is the compute capacity that each workload consumes (instead of the volume of data ingested). Splunk offers visibility into the consumption of your license and lets you control the usage of your overall compute capacity for all your Splunk capabilities and use cases. This model applies to cloud products and certain on-premise offerings.

Splunk is easier to use with workload pricing, allowing you to resolve growing use cases across various departments (i.e., DevOps, IT, etc.) through a single data-to-everything platform. The workload pricing model is flexible and lets you scale your usage to meet changing needs. It measures compute capacity for analytics and search workloads.

Splunk Virtual Compute units (SVCs) are the metric used to measure workloads in the Splunk Cloud Platform. Virtual Central Processing Units (vCPUs) are the metric used to measure workloads in Splunk Data Stream Processor and Splunk Enterprise.

Ingest Pricing

The ingest pricing model is based on the data ingestion volume of Splunk products. Customers can select the ingest level they purchase based on their daily data ingestion needs (GB per day). This pricing model remains available for existing customers.